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® A mechanism for an automated system to allow 
a user of the system to demonstrate his legitimacy 
by demonstration of secret knowledge. The mecha- 
nism is resistant to compromise by observation of its 
use. An array of symbols is presented to the user 
and the user Is required to manipulate several sym- 
bols at once until assigned key symbols are manipu- 
lated into predetermined states. Doing so effectively 
prevents an observer from determining which sym- 
bols are the ones of interest. For example, pushing a 
button might cause several symbols in the array to 
exchange their positions. The user continues to do 
this, having, perhaps, to use several different but- 
tons, until a certain subset of the symbols appears in 
certain locations within the array. (In this example, 
the arrangement of this subset of symbols is the 
user's password or PIN.) In this process many sym- 
bols in the array, in addition to the user's specific 
symbols, would also have been moved, making it 
virtually impossible for an observer to Identify which 



symbols and array-positions are pertinent to the 
user's password or PIN. 

FIG. 4 
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the drawing in which: 

Fig. 1 is a block diagram of an apparatus ac- 
cording to the present invention: 
Fig. 2 is a flow chart of the operation of the 

^ apparatus of Fig. 1; 

Fig. 3 is an example of a display screen show- 
ing an initial ARRAY STATE according to an 

j| embodiment of the present invention; 

Fig. 4 is an example of the display screen of 
Fig. 1 showing a final ARRAY STATE including 
a users authorized KEY STATE; 
Fig. 5 is an illustration of an Automated Teller 
Machine (ATM) according to an embodiment of 
the present invention. 
Like reference numerals appearing in more 
than one Fig. designate like elements. 

Detailed Description of an Embodiment 

Fig. 1 Illustrates a generalized embodiment of 
the present invention in block diagram form. The 
system of Fig. 1 includes a processor 102 (which 
can be a general purpose computer such as work 
station or personal computer), a user I.D. input 
device 104 (which can be a keyboard or card 
reader), a means 106 to present information to the 
user (which can be a conventional video display, an 
array of LEDs or a tactile Braille output device), 
manipulator controls 108 (which can be a mouse, a 
touch screen device, a touch pad, buttons, joystick, 
track ball or audio pickup or any other input 
mechanism by which the processor can receive 
commands to manipulate the. Image on the dis- 
play), a KEY STATE database 110, a user I.D. 
database 112 and access controls 114 which, on 
command of the processor 102. will enable a user 
to access a secured mechanism 116 (e.g. a lock 
for a room, computer files, an ATM dispenser). As 
an alternative embodiment, the KEY STATE 
database 110 and the USER I.D. database 112 may 
be eliminated by providing suitable information in 
protected form via the I.D. Input device, 104, (such 
as from the magnetic stripe on a charge card,). 

In accordance with the present invention, each 
users PIN (or password or access code) is defined 
as a preassigned set of symbols (KEY SYMBOLS) 
in a preassigned configuration or state. The data 
defining these symbols and the preassigned con- 
figuration is referred to as the user's KEY STATE 
definition. The configuration of these KEY 'SYM- 
BOLS within the ARRAY at any given time Is re- 
ferred to as the "KEY STATE". The user's PIN is 
entered by manipulating each of the KEY SYM- 
BOLS into the correct configuration, position or 
state within the ARRAY. This correct KEY STATE 
(the user's personal KEY STATE) Is defined by the 
user's KEY STATE definition and is specific to 
each user I.D.. The correct KEY STATE constitutes 



secret knowledge which the user must demonstrate 
to obtain access to the secured mechanism. 

The user's personal KEY STATE may be, for 
example, the positions of each of the KEY SYM- 

5 BOLS within the ARRAY, irrespective of the place- 
ment and orientation of the pattern within the AR- 
RAY. The initial ARRAY will contain, as a subset, 
the user's KEY SYMBOLS in some initial configura- 
tion or STATE. The configuration or state of the 

10 entire set of displayed symbols at any given time 
is referred to as the ARRAY STATE. A constraint 
on the initial ARRAY STATE is that the user's 
personal KEY STATE must be achievable with the 
transformations allowed by the manipulator controls 

75 108. That is to say, the initial ARRAY STATE must 
be such that the user's KEY SYMBOLS can be 
manipulated Into the proper state so as to form the 
user's PIN. Different initial ARRAY STATES that 
can be manipulated to achieve the user's personal 

20 KEY STATE are referred to as being in the same 
EQUIVALENCE CLASS. Initial ARRAY STATES 
that can not be manipulated to achieve the user 
persona! KEY STATE are referred to as being in a 
different EQUIVALENCE CLASS. 

25 Turning now to Fig. 2, In step 202 a user 

initiates a transaction by inputting a user identifica- 
tion code into the I.D. input device 104. This can 
be accomplished, for example, by typing a user 
I.D. on a keyboard or placing a magnetically coded 

30 card into a reader. In step 204 the processor 
checks the user I.D. against the user I.D. database 
112 to determine if It is valid. If the processor 
recognizes the user I.D. as valid (I.e. authorized to 
access the system), it responds by accessing the 

35 user's KEY STATE definition from the KEY STATE 
database in step 206. . 

In step 208 the processor determines an initial 
ARRAY STATE that contains an initial KEY STATE 
in the same EQUIVALENCE CLASS as user's per- 

40 sonal KEY STATE. The initial ARRAY STATE can 
be determined In a number of different ways. For 
example, the processor 102 can start with the 
users KEY STATE definition and calculate the ef- 
fects of random operations of the manipulator con- 

45 trols in reverse sequence. The number of the ma- 
nipulations can also be determined as some ran- 
dom number beyond an initial threshold. Advanta- 
geously, the above described method can be used 
to ensure that the initial KEY STATE displayed to 

50 the user is unlikely to be the same for any two 
transactions. As another example, the initial KEY 
STATE can be fixed or can be chosen at random 
from a number of fixed options In the KEY STATE 
database 110. 

55 The embodiment described here takes the pre- 

caution of limiting the number of manipulations that 
the user Is allowed In attempting to achieve the 
correct KEY STATE. This threshold number Is cal- 
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culated by the processor in step 210. This thresh- 
old can be calculated a number of alternative ways 
based on the minimum number of steps required to 
transform the initial KEY STATE to the correct KEY 
STATE. For example, the threshold could be set so 
as to require the user to achieve the proper key 
state in the minimum number of steps required. As 
an alternative, some additional number of steps can 
be allowed (e.g. the minimum plus some percent- 
age of the minimum). 

In steps 212 and 214, a timeout limit is deter- 
mined and the a timer is initialized to limit the 
amount of time that the user has to complete the 
manipulations. The timeout value can be also be 
determined in a number of different ways. For 
example, the timeout value can be calculated 
based on the minimum number of steps required to 
transform the initial KEY STATE to the correct KEY 
STATE (for example by multiplying a fixed allotted 
time value per manipulation by the minimum num- 
ber of manipulation steps required). Alternatively, a 
fixed timeout value can be used; or, a fixed timeout 
value can be added to a variable timeout value 
based on the minimum number of steps as de- 
scribed above. 

In any event, the manipulation threshold and 
timeout values are used in steps 222 through 236 
as described below. Note that the nature of this 
invention provides the opportunity for these precau- 
tions. 

In step 216 the ARRAY is displayed in the 
initial ARRAY STATE determined in step 206. 

Next, In step 218 the processor begins a loop 
to process the user's input via the MANIPULA- 
TORS. The MANIPULATOR controls 108 are pro- 
vided to enable the user to achieve his personal 
KEY STATE by transforming the SYMBOL 
STATES. For example, In the system of Fig. 1, a 
SYMBOL STATE (any uniquely identifiable con- 
dition that a symbol can exhibit) can be defined by 
the position of the symbol in the ARRAY. It should 
be understood, however, that the SYMBOL STATE 
can be defined in many other ways. Examples 
include, but are not limited to, position In the array, 
color, orientation, etc. 

Within the manipulation loop the processor 
monitors the user's use of the manipulators (step 
224) and displays the modified ARRAY STATE in 
accordance with the user selected manipulations 
(step 226). Also, within the manipulation loop the 
processor keeps track of the time taken and the 
number of manipulations used (step 228) by the 
user. If these thresholds are exceeded (as deter- 
mined in steps 222 and 229 respectively) the trans- 
action is aborted (steps 236) and the system is 
reinitialized (step 238). 

It should be understood that although shown as 
a single step for clarity, the timeout monitoring of 



step 222 is performed continuously from the time 
that step 218 is executed, until either the transac- 
tion is aborted (step 236) or the user signals 
"done" (step 230), whichever occurs first. That is 
5 to say that if a timeout occurs at any point between 
the start of the timer in step 218 and the user 
signalling "done" in step 230, the transaction will 
be aborted. 

When the user is satisfied that he has manipu- 

10 lated the array into the proper KEY STATE, he 
signals (for example by pressing a key or a button) 
to request verification of his password. This signal 
is detected at step 230. In response to this signal, 
in step 232 the system compares the users KEY 

75 STATE definition (retrieved in step 206) with the 
displayed ARRAY STATE. If the users KEY STATE 
is found correctly in the FINAL ARRAY STATE (the 
displayed ARRAY STATE at the time the user 
signals that he is satisfied), in step 234 the system 

20 provides the user access to the controlled resource 
and. at the conclusion of the user's transaction, re- 
initializes the system in step 238. In the event that 
the user's entry is determined (in step 232) not to 
be correct, then the transaction is aborted in step 

25 236 and the system is re-initialized in step 238. 

An example of an ARRAY of symbols as they 
might appear on the display of Fig. 1 and an 
associated manipulator mechanism is illustrated in 
Fig. 3. By using the manipulator buttons 318 (a-h) 

30 the user may alter the positions of the symbols 
(A0-D3). In the example of Fig. 3. there are 4 key 
symbols SYMBOLS (B1. A1, C2, D2). Pressing a 
manipulator button on a given column or row shifts 
the entire corresponding string (row or column) of 

35 SYMBOLS in a circular fashion in the direction of 
the button. Thus, on each manipulation, symbols 
other than the KEY SYMBOLS are also shifted, 
thereby preventing an observer from knowing 
which set of SYMBOL STATES constitute the KEY 

40 STATE. 

When the user is done manipulating the AR- 
RAY the ENTER key 320 is pressed on the ma- 
nipulator controls so indicating. This is detected in 
step 230 of Fig. 2. In response, in step 232, the 

45 processor compares the KEY STATE of the modi- 
fied ARRAY with the user's KEY STATE definition 
retrieved from the KEY STATE database 110 in 
step 206. If the KEY STATE within the displayed 
ARRAY matches the user's KEY STATE definition 

50 (as determined in step 232), the processor signals 
the access controls 114 which, in turn, enables the 
user to access the secured mechanism in step 
234. After the access is complete, in step 238 the 
processor can reinitialize the system to prepare for 

56 another user. 

If. in step 230. it is determined that the KEY 
STATE of the displayed ARRAY does not match 
the user's KEY STATE, the transaction is aborted 
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and the system Is reinitialized. The processor can 
also store the nunnber of failed attempts to enter a 
PIN by any given user. In such an embodiment, the 
processor can be programmed to prevent attempts 
by a given user beyond a predetermined failed- 
attempt threshold. 

Fig. 4 Is an example of the ARRAY of Fig. 3 
having the KEY SYMBOLS (B1. A1, C2. D1) In the 
proper KEY STATE defining the users PIN. In this 
example, the manipulation of the array would re- 
quire 12 steps. These steps are: three presses of 
button 318(a) so as to shift symbol 81 three places 
to the left, three presses of button 318(b) so as to 
shift symbol A1 three places to the left, two 
presses of button 318(c) so as to shift symbol C2 
three places to the left and four presses of button 
318(d) so as to shift symbol D1 four places to the 
left. In general, with the embodiment described 
here, vertical transformations (accomplished by 
pressing manipulator buttons 318(e)-318(h)) would 
also be required to achieve the user's KEY STATE 
(Illustrated in Fig. 4) from the Initial ARRAY STATE 
(Fig. 3) but, for simplicity's sake, are not required 
In this example. 

Shifting Is, of course, just one example of how 
the state of a symbol can be transformed. Other 
types of transformations (e.g. color, shape or ori- 
entation changes) can be used as an alternative as 
long as the MANIPULATORS affect groups of SYM- 
BOLS without identifying any specific SYMBOLS in 
the group as unique. In other words, the set of 
symbols to be manipulated Is Identified by the user 
as a whole. 

Turning now to Fig. 5, an automated teller 
machine (ATM) 500 according to an embodiment 
of the present invention is illustrated. As is conven- 
tional, the ATM Includes a slot 502 for receiving a 
magnetically coded identification card (ATM card), 
a dispenser 504 for distributing cash and/or a 
transaction record, a display screen 506 for dis- 
playing information to a user and a keyboard 508 
by way of which the user can select a transaction, 
respond to inquiries and input other Information. 
These features and the workings of their associated 
support mechanisms are well known in the art. In 
accordance with the present Invention, the ATM of 
Fig. 1 also Includes manipulator buttons 510 ar- 
ranged in row and column fashion along the periph- 
ery of the display screen 506. 

In accordance with an embodiment of the 
present Invention, a user initiates a transaction by 
placing the ATM card into the slot 502. If the ATM 
500 successfully reads the card, it responds by 
displaying an array of symbols of the display 
screen 506. At this point, the user is prompted to 
manipulate the symbols Into new array positions. 
As with the embodiment of Fig. 1 , the user manipu- 
lates each of the KEY SYMBOLS into the correct 



position within the ARRAY. This correct KEY 
STATE Is specific to each user or account as 
Identified by the ATM card. If the user successfully 
manipulates the ARRAY to the correct KEY STATE 

6 within a threshold number of steps, the ATM allows 
a user selected transaction to proceed to comple- 
tion. If the user does not successfully manipulate 
the ARRAY, the transaction is not allowed to pro- 
ceed or is aborted. 

10 A system embodying the present invention can 

protect itself from compromise by an observer sim- 
ply remembering and reproducing an observed fi- 
nal ARRAY STATE (i.e. state of the entire array). It 
can also protect itself from an observer remember- 

75 ing and reproducing the sequence of actions per- 
formed by the legitimate user. This is accom- 
plished In two basic ways: 

1. Choosing initial ARRAY STATES from a large 
20 universe of EQUIVALENCE CLASSes. 

Depending on the actual ARRAY, SYMBOLS 
and MANIPULATORS, the number of equivalence 
classes can be extremely large. This can make It 

25 impossible, or highly unlikely, that any arbitrary 
final ARRAY STATE can be achieved, by use of 
the MANIPULATORS from an initial ARRAY 
STATE. At the same time, the Initial KEY STATE 
must be chosen to be in the same EQUIVALENCE 

30 CLASS as the user's personal KEY STATE to make 
It possible for the user to achieve his personal KEY 
STATE. 

It Is possible to satisfy both conditions with 
appropriately chosen STATE and MANIPULATOR 

35 definitions since there are fewer constraints on the 
achievable KEY STATEs then there are on the 
achievable ARRAY STATEs when, as defined here, 
the KEY STATE is a subset of the ARRAY STATE. 
For example, the Initial ARRAY STATE of Fig. 3 

40 could have the initial positions of each of the KEY 
SYMBOLS shifted up by one column, also symbols 
other than the KEY SYMBOLS could be changed 
completely (e.g. C7 or F1 could replace C5). As 
another example, the manipulator buttons could be 

46 programmed to cause rows or columns of symbols 
to be swapped with a succeeding or preceding row 
or column. 

The net effect is a one-way, or "trap door", 
function. That Is, an authorized user can easily 

50 achieve the desired final KEY STATE from the 
initial KEY STATE without regard to the overall final 
ARRAY STATE, but an observer, only knowing a 
previous final ARRAY STATE can neither deduce 
the final KEY STATE nor reproduce the final AR- 

55 RAY STATE. An imposter trying to compromise a 
system using this technique would find himself 
incapable of reproducing the final ARRAY STATE 
he had originally observed, nor would he be able to 
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achieve the correct KEY STATE by simply mimick- 
ing the legitimate user's actions. 

2. Making the user's personal KEY STATE differ 
from one use of the system to another. 

This can be done by making the user's per- 
sonal KEY STATE in some way dependent on the 
Initial ARRAY STATE and choosing from a large 
universe of initial ARRAY STATES. For example, 
the Initial ARRAY STATE could be randomized 
(within the above constraint) and furthermore re- 
quire that one of the KEY SYMBOLS be left in its 
initial, randomized, state. For example, in the AR- 
RAY of Fig. 3, a users key might be defined by the 
relative positions of A1, C2 and D1 to the initial 
randomized position of B1 . 

An impostor trying to compromise a system 
using this technique would find that even if he were 
to reproduce a previously observed final ARRAY 
STATE, the KEY STATE appropriate to this in- 
stance would not be achieved. Again, mimicking 
the legitimate user's actions would not achieve the 
correct KEY STATE. 

Using a combination of these two methods 
greatly improves the security of the system. 

In addition to providing a method of use that is 
resistant to compromise by observation, this inven- 
tion also provides some other benefits. The con- 
cept of an ARRAY and a STATE within that AR- 
RAY, significantly adds to the security of a pass- 
word or PIN by increasing the size of the key- 
space. (For example, most PINS today are shared 
by literally hundreds of people. This is a con- 
sequence of the size of the PIN key space (for a 
four digit PIN its maximum size is 10,000, while 
there may be as many as 200,000 customers of a 
given bankcard). Even with the increased key- 
space, a system using the present invention can 
provide an easier-to-remember PIN by using pic- 
tured ICONS (as SYMBOLS) on a full graphical 
data output device. 

An ATM machine is only one example of the 
applicability of the present invention. The present 
invention can just as readily be applied to any 
device or area whose access Is secured by a 
personalized code. For example, the present sys- 
tem can be implemented on a computer system 
which is used to control access to a secured area 
(e.g. by unlocking a door when the PIN is entered 
properly). As another example, the present system 
could be used to control access to a secure com- 
puter program or data area of the system by pro- 
viding access only to those who log on using an 
authorized user name and are able show special 
knowledge by manipulating the ARRAY into the 
proper KEY STATE for that user name. 



It should be understood that the embodiments 
described herein have been provided by way of 
example and not by way of limitation. In light of the 
foregoing description, many modifications and vari- 
5 ations which do not depart from the scope and 
spirit of the invention will occur to those of skill in 
the art. Thus, the scope of the invention Is defined 
by the appended claims. 

10 Claims 

1. A system for providing access to a secure 
device, comprising: 

input means for receiving user identification 

75 information; 

display means, coupled to said input means, 
for displaying an plurality of symbols in an 
initial state, said plurality of symbols including 
a subset of symbols (key symbols) which are 

20 elements of an access key corresponding to 

said user identification information; 
manipulator means, coupled to said display 
means, for simultaneously changing a dis- 
played state of a multiplicity of said symbols; 

25 comparison means, coupled to said manipula- 

tor means, for comparing a state of said key 
symbols with a key state defining said access 
key; and, 

access authorization means, coupled to said 
30 comparison means, for providing access to 

said secure device when said comparison 
means indicates that said displayed state of 
said key symbols matches said access key. 

35 2. The system of Claim 1 wherein said key state 
is defined by a color of said symbols, or by a 
position of said symbols on said display 
means. 

40 3- The system of Claim 1 or 2 wherein said initial 
state of said symbols is in the form of a row 
and column array, and/or wherein said manipu- 
lator means comprises means for simulta- 
neously altering a row or column position of a 

45 plurality of said symbols within said array. 

4. The system of Claim 1 , 2 or 3 further compris- 
ing first database means, coupled to said input 
means, for storing data defining a plurality of 

50 key states and for retrieving said access key 

responsive to receipt of said user Identification 
information, and/or further comprising second 
database means, coupled to said input means, 
for storing data indicative of a plurality of users 

55 and processor means for comparing said user 

identification with said users in said database 
to determine whether an authorized user is 
attempting to access said secure device. 
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wherein said input means preferably connprises 
means for receiving an identification card, said 
Identification card having means for storing 
said user identification information. 

5 

i « 

5. The system of Claim 1 or one of the Claims 2 
or 3 wherein said input means comprises 

;i> means for receiving an identification card, said 

identification card having means for storing 
said user Identification information and said io 
key state. 

6. The system of Claim 1 or one of the Claims 2 
to 5 further comprising signal means, coupled 

to said authorization means, for indicating 75 
when a user has completed manipulation of 
said symbols and wherein said authorization 
means is operable responsive to said signal 
means. 

20 

7- The system of Claim 1 or one of the Claims 2 
to 6 further comprising: 

verification means coupled to said input 
means, for determining whether said user iden- 
tification information Is indicative of an autho- 25 
rized user of said secured device and for de- 
nying access to said secure device when said 
Identification information Is not Indicative of an 
authorized user, and 

signal means, for Indicating when a user is so 
finished changing said displayed position. 



multaneously altering a row or column position 
of a multiplicity of said symbols within said 
array. 

10. The method of Claim 8 or 9 further comprising 
the step of storing data defining a plurality of 
access keys and retrieving said user access 
key responsive to receipt of said user iden- 
tification Information, and/or further comprising 
the steps of storing data indicative of a plural- 
ity of users and, comparing said user iden- 
tification information with said users in said 
database to determine whether an authorized 
user Is attempting to access said secure de- 
vice, wherein said receiving preferably com- 
prises the step of receiving an identification 
card, said identification card having means for 
storing said user Identification Information. 

11. The method of Claim 8 or 9 wherein said 
receiving comprises the step of receiving an 
identification card, said identification card hav- 
ing means for storing said user identification 
information and said user access key. 

12. The method of Claim 8, 9, 10 or 11 further 
comprising the step of indicating when a user 
has completed manipulation of said symbols 
performing said comparing responsive to said 
Indicating. 



8. A method of providing access to a secure 
device, comprising the steps of: 

receiving user identification Information; 36 
displaying an plurality of symbols In an initial 
state, said plurality of symbols Including a sub- 
set of symbols (key symbols) which are ele- 
ments of an user access key corresponding to 
said user identification information; 4o 
simultaneously changing a displayed state of a 
multiplicity of said plurality of symbols; 
after said changing, comparing a state of said 
key symbols with a key state defining said 
user access key; and, 45 
providing access to said secure device when 
said comparing indicates that said displayed 
state of said key symbols matches said user 
access key; 

wherein said access key preferably is defined 50 
by a position of said symbols on said display 
means, and 

wherein said initial state of said symbols is 
preferably in the form of a row and column 
array. 55 

9. The method of Claim 8 wherein said simulta- 
neously changing comprises the step of si- 
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